On 07/28 10:53 ,
lanceh1412-business AT yahoo.co DOT uk
wrote:
> Just trying to harden security. My concern is if
someone had physical access to backuppc server they
could easily logon as backuppc user by resetting the
password and therefore gain access to the ssh keys.
Now I see it is possible to put the ssh keys in
an encrypted private
directory (See EncryptedPrivateDirectory - Community
Help Wiki). This would mean that even if someone could
reset the password and logon as backuppc they wouldn't
have access to the keys.
> Has anyone done this or would recommend this way
or got any other suggestions?
My logic for my setup is:
if someone has access to the BackupPC server, they have
all the data on all
the computers being backed up. At that point, the risk
is whether they could
modify data on the live server.
To avoid that risk, I don't allow the BackupPC server
write access to the
machines being backed up, only read access. The restores
aren't really much
more inconvenient (I tend to use tar+netcat for restores
on Linux boxen, and
zipfile downloads on Windows boxen), and I feel like I
have more confidence
that I'm not going to accidentally clobber the wrong
data.
--
Carl Soderstrom
Systems Administrator
Real-Time Enterprises
www.real-time.com